Cyber security takes discipline

Policies, training are essential with new employees accessing data via mobile devices

Judging by frequent headlines about stolen credit card numbers and hacker attacks, companies face cyber security threats from literally around the world. But are Kentucky companies doing enough to keep their information – and customers’ data – safe?

Cyber threats take many shapes, from the proverbial hacker in his mom’s basement to organized gangs in Eastern European countries. And experts say the bad guys have to be right only one time to pull off an attack, whereas the corporate guardians have to get it right every day, all day to keep company assets safe.

The damage from a major cyber attack could be huge – the power grid goes dark, electronic payments are compromised or disabled, and communications including phones and email go offline. Data breaches can cost a company a lot of money in fines as well as lost business and perhaps most costly of all, a loss of consumer trust.

A few months ago, the Twitter feed for the Associated Press was hacked, and unauthorized tweets were seen by millions of people. “The Twitter feed was probably not on the security team’s plan because there is not company data involved, but I’ll bet it is now,” said David Kidd, director of quality assurance and compliance for Peak 10, a Charlotte, N.C.-based information technology service provider with three data centers in Louisville.

In New York, a globally organized gang of hackers managed to steal $45 million from automated teller machines. Another group stole 160 million credit card numbers over a period of year. Interestingly, the gang members had held some their meetings in person because they didn’t trust the security of their own digital communications, according to InformationWeek Security magazine.

As more and more sensors and equipment are connected to the Internet, the threat of attack grows larger. And the intent behind incursions is typically more serious. The days of adolescent hackers breaking into a system just to see if they can do it are long gone. Cyber attacks are usually aimed at gathering personal data, often to sell to identity thieves who create fake credit and debit cards.

Thieves and hackers buy and sell data and intrusion secrets in private forums, said David Montgomery, senior account manager for SDGblue LLC in Lexington, who changes his own 12-character alphanumeric password every 30 days.

“If you can read, you can be a hacker, because you can pay money and they give you the instructions on how to run these hacking tools,” he said.

Hackers attack for many reasons in addition to stealing personal data.

“There’s corporate espionage, where hackers try to steal engineering diagrams and product plans, that’s definitely a risk for many companies engaging in significant product development,” said Vince Kellen, CIO for the University of Kentucky.

Some hackers attack for political or personal reasons against companies and organizations that hold opposing viewpoints.

“Hactivism groups are not always after money. Sometimes it’s just for defacement or political reasons,” said Tyler Leet, director of risk and compliance services for Paducah-based CSI Inc. “Get a large group of cyber nerds together, and they can do some dangerous things.”

Financial institutions and healthcare facilities face some of the toughest challenges in protecting data because of regulatory requirements. Hospitals and healthcare have to secure patients’ medical data as well as payment information. However, practically any company presents a target for hackers looking to disrupt business.

“Although there might be different regulatory risks, it’s all about protecting information, the availability of your systems and data and the integrity of that data to make sure those are protected,” Leet said.

In fact, hackers can break into a network and encrypt a company’s data with a password known only to the hacker. The hacker, usually a member of a gang, holds the data hostage until the company pays ransom for the password.

How do Kentucky companies stack up against the threat of cyber attack? While it’s difficult to give an overall assessment of security levels, Kentucky companies tend to be 12 to 18 months behind the leading edge in adopting the latest cyber security tools, Montgomery said. “Some of the hot topics here right now, in a different locale might have been front page news a few years ago,” he said.

More mobile devices, less security?

The spread of smart phones and tablets has increased the level of difficulty for security experts. Employees want to be able to access their company email and networks while traveling or at home on the couch.

It’s called “Bring Your Own Device” and it scares cyber security experts. A typical employee may have four or more devices at home to access a company’s computer network for email or other applications.

“Mobile devices introduce a new avenue of possible exploits, because now you have employees taking devices home and maybe their family uses those devices, so how do you control what happens on those devices and what happens when it’s brought back into the internal network?” Leet said.

Employees’ personal devices present a policy challenge for companies. After all, the employee paid for the device.

“The employees can do whatever they want with the device, but the data they access belongs to the company, not the employee,” Kidd said. “There have to be security policies in place to access the company’s data regardless of the device that’s used; the device is really just another access point.”

There are still some gray areas for companies in managing employees’ devices.

“If a company has the ability to wipe data from an employee’s device, what’s the liability if I wipe some of your personal data?” Montgomery said. “There is no consistent set of policies that everyone is adhering to.”

White hat attacks

Consultants test company’s cyber security with “white hat” attacks instigated by good guys designed to seed out weaknesses.

SDGblue sent an email to 300 employees of a company, and 87 of them provided their user IDs and passwords, Montgomery said. It’s called “phishing” or “social engineering,” in which hackers send mass emails that try to trick people into voluntarily giving up their passwords by reply email, or they pose as an authority figure in a phone call.

“Even in 2013, fairly sophisticated people are still falling prey to phishing attacks,” said Kevin Kirby, Ph.D., dean of the College of Informatics at Northern Kentucky University.

At a hospital, an employee gave her name and password to someone calling claiming to be from the IT department. She saw through the ruse when the caller with a heavy Eastern European accent asked what programs she was running.

“She hung up on him and called their IT department, but they had to send a (computer system) server to a forensics specialist and it cost $12,000 to find out what the damage was,” Montgomery said.

In testing security at community banks, Leet said his white-hat team typically can gain access to about 10 percent of a bank’s network because many devices still use default passwords. Hackers can look up the default password and easily get a foothold inside the network.

Regular security training and communication for employees is important to remind them to change passwords and not click on links or attachments in suspicious emails. However, too many companies skip security in new employee orientation, Leet said.

“We’ve tested one bank for years, and every year there are a few employees who give up their passwords. There are always new employees,” Leet said. “If a new person hasn’t been trained, as soon as they become an active member of your network they become a liability.”

While there are many things companies can do to improve cyber security, some of the most effective are also the least costly to implement.

“Develop a password policy and don’t use one password for everything,” Kellen said. “If you change passwords regularly, even if it’s stolen it won’t be useful for very long.”

Management oversight also adds another layer of cyber defense.

“Have a proper segregation of duties and oversight over those duties,” Kellen said. “Design the business processes appropriately so that it will be harder for someone to compromise the company with stolen data.”

Big data equals big business

The University of Kentucky aims to boost graduation rates by following the big data behind student performance.

The university is using new tools to look at data it’s always had in a whole new way. Vince Kellen, UK’s chief information officer, said the university is using new software from SAP that allows it to sift and sort a wide range of data behind a student’s likelihood of graduation. By looking at course history, grades, class attendance and engagement data, UK is starting to build a picture of what makes a successful student.

The new tool is 1,000 to 20,000 times faster than previous software, so analysis that would have taken hours now takes seconds. That speed gives UK a way to look its big data in a whole new way.

“With that performance you can think differently about how to analyze data,” Kellen said, “and you don’t have to worry if it’s too much data.”

“Big data” is exactly that, data that’s too voluminous, comes from too many places and moves at too fast a pace to handle in a standard fashion. How big is “big” really depends on the size of the organization and the tools it has to manage and analyze data.

“Were looking at big data in terms of the ability of the company or organization to manage it effectively,” Kellen said.

With powerful new tools, big data is becoming a reality for many companies.

UPS uses big data to develop the most effective routes for packages and trucks. Basing its marketing on prior purchases among pregnant women, Target infamously sent coupons for baby products to customers who hadn’t yet told their families they were expecting. Google is using its treasure trove of big data to develop shopping systems that can send you groceries when you run out without having to place an order.

With its data initiatives, UK is developing scorecards for students to show how engaged a student is and whether he or she may need academic assistance. Similar measurements could be applied to employee engagement.

“For a lot of companies, knowledge and training of employees is critical,” Kellen said. “Some companies are deploying solutions to help bring information to employees.”

At UK the data was already there, but it takes new tools and ways of thinking to be able to ask the right questions to sort out the answers.

“Every business has more value they can extract out of their data, you just need to get the right people who can think about that correctly,” Kellen said.